From: https://blog.inliniac.net/2012/07/10/suricata-on-myricom-capture-cards/
-In this guide I’ll describe using the Myricom libpcap support. I’m going to assume you installed the card properly, installed the Sniffer driver and made sure that all works. Make sure that in your dmesg you see that the card is in sniffer mode:
+In this guide I'll describe using the Myricom libpcap support. I'm going to assume you installed the card properly, installed the Sniffer driver and made sure that all works. Make sure that in your dmesg you see that the card is in sniffer mode:
::
I have installed the Myricom runtime and libraries in /opt/snf
-Compile Suricata against Myricom’s libpcap:
+Compile Suricata against Myricom's libpcap:
::
make
sudo make install
-Next, configure the amount of ringbuffers. I’m going to work with 8 here, as my quad core + hyper threading has 8 logical CPU’s. *See below* for additional information about the buffer-size parameter.
+Next, configure the amount of ringbuffers. I'm going to work with 8 here, as my quad core + hyper threading has 8 logical CPUs. *See below* for additional information about the buffer-size parameter.
::
buffer-size: 512kb
checksum-checks: no
-The 8 threads setting makes Suricata create 8 reader threads for eth5. The Myricom driver makes sure each of those is attached to it’s own ringbuffer.
+The 8 threads setting makes Suricata create 8 reader threads for eth5. The Myricom driver makes sure each of those is attached to its own ringbuffer.
Then start Suricata as follows:
SNF_NUM_RINGS=8 SNF_FLAGS=0x1 suricata -c suricata.yaml -i eth5 --runmode=workers
-If you want 16 ringbuffers, update the “threads” variable in your yaml to 16 and start Suricata:
+If you want 16 ringbuffers, update the "threads" variable in your yaml to 16 and start Suricata:
::
::
- “The libpcap interface to Sniffer10G ignores the pcap_set_buffer_size() value. The call to snf_open() uses zero as the dataring_size which informs the Sniffer library to use a default value or the value from the SNF_DATARING_SIZE environment variable."
+ "The libpcap interface to Sniffer10G ignores the pcap_set_buffer_size() value. The call to snf_open() uses zero as the dataring_size which informs the Sniffer library to use a default value or the value from the SNF_DATARING_SIZE environment variable."
The following pull request opened by Myricom in the libpcap project indicates that a future SNF software release could provide support for setting the SNF_DATARING_SIZE via the pcap.buffer-size yaml setting:
[27708] 15/10/2010 -- 11:40:07 - (suricata.c:425) <Info> (main) – This is Suricata version 1.0.2
-(Here the part until the – is the meta info, “This is Suricata 1.0.2”
+(Here the part until the – is the meta info, "This is Suricata 1.0.2"
is the actual message.)
It is possible to determine which information will be displayed in
**Creative Commons is not a party to its public
licenses. Notwithstanding, Creative Commons may elect to apply one of
its public licenses to material it publishes and in those instances
-will be considered the “Licensor.” Except for the limited purpose of
+will be considered the "Licensor." Except for the limited purpose of
indicating that material is shared under a Creative Commons public
license or as otherwise permitted by the Creative Commons policies
published at creativecommons.org/policies, Creative Commons does not
-authorize the use of the trademark “Creative Commons” or any other
+authorize the use of the trademark "Creative Commons" or any other
trademark or logo of Creative Commons without its prior written
consent including, without limitation, in connection with any
unauthorized modifications to any of its public licenses or any other
Tcmalloc
========
-‘tcmalloc’ is a library Google created as part of the google-perftools
-suite for improving memory handling in a threaded program. It’s very
+'tcmalloc' is a library Google created as part of the google-perftools
+suite for improving memory handling in a threaded program. It's very
simple to use and does work fine with Suricata. It leads to minor
speed ups and also reduces memory usage quite a bit.
::
- LD_PRELOAD=”/usr/lib/libtcmalloc_minimal.so.0" suricata -c suricata.yaml -i eth0
+ LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0" suricata -c suricata.yaml -i eth0
Fedora:
::
- modifysid 2010495 “alert” | “drop”
+ modifysid 2010495 "alert" | "drop"
The sid 2010495 is an example. Type the sid of the rule you desire to
change, instead.
content:".php?sign="; http_uri; pcre:"/^[a-zA-Z0-9]{8}$/UR";
-- With Snort you can't combine the “relative” PCRE option ('R') with other buffer options like normalized URI ('U') – you get a syntax error.
+- With Snort you can't combine the "relative" PCRE option ('R') with other buffer options like normalized URI ('U') – you get a syntax error.
``tls*`` Keywords
------------------
So we'll get an alert ONLY if usernamecount is over five.
-So now let’s say we want to get an alert as above but NOT if there
+So now let's say we want to get an alert as above but NOT if there
have been more occurrences of that username logging out. Assuming this
-particular protocol indicates a log out with "jonkman logout", let’s
+particular protocol indicates a log out with "jonkman logout", let's
try:
::
applications in things like login tracking, IRC state machines,
malware tracking, and brute force login detection.
-Let’s say we're tracking a protocol that normally allows five login
+Let's say we're tracking a protocol that normally allows five login
fails per connection, but we have vulnerability where an attacker can
continue to login after that five attempts and we need to know about
it.
So, you can see you can use the following to make clear on which
direction you would like to match::
- both: both directions have to match with the given geoip (geopip’s)
- any: one of the directions have to match with the given geoip (’s).
+ both: both directions have to match with the given geoip (geopip's)
+ any: one of the directions have to match with the given geoip ('s).
dest: if the destination matches with the given geoip.
src: the source matches with the given geoip.
quotation marks you can write on what you would like the signature to
match. The most simple format of content is::
- content: ”............”;
+ content: "............";
It is possible to use several contents in a signature.
already important in the signature. For matching on these characters
you should use the heximal notation. These are::
- “ |22|
+ " |22|
; |3B|
: |3A|
| |7C|
It is a convention to write the heximal notation in upper case characters.
To write for instance ``http://`` in the content of a signature, you
-should write it like this: ``content: “http|3A|//”;`` If you use a
+should write it like this: ``content: "http|3A|//";`` If you use a
heximal notation in a signature, make sure you always place it between
pipes. Otherwise the notation will be taken literally as part of the
content.
A few examples::
- content:“a|0D|bc”;
- content:”|61 0D 62 63|";
- content:”a|0D|b|63|”;
+ content:"a|0D|bc";
+ content:"|61 0D 62 63|";
+ content:"a|0D|b|63|";
It is possible to let a signature check the whole payload for a match with the content or to let it check specific parts of the payload. We come to that later.
If you add nothing special to the signature, it will try to find a match in all the bytes of the payload.
content:"Firefox/3."; distance:0; content:!"Firefox/3.6.13";
distance:-10; sid:9000000; rev:1;)
-You see ``content:!”Firefox/3.6.13”;``. This means an alert will be
+You see ``content:!"Firefox/3.6.13";``. This means an alert will be
generated if the used version of Firefox is not 3.6.13.
.. note:: The following characters must be escaped inside the content:
You have to place it after the content you want to modify, like::
- content: “abc”; nocase;
+ content: "abc"; nocase;
Example nocase:
For example::
- content:“def”; offset:3; depth:3;
+ content:"def"; offset:3; depth:3;
If this was used in a signature, it would check the payload from the
third byte till the sixth byte.
These options are perl compatible modifiers. To use these modifiers,
you should add them to pcre, behind regex. Like this::
- pcre: “/<regex>/i”;
+ pcre: "/<regex>/i";
*Pcre compatible modifiers*
User-agent: Mozilla/5.0 Badness;
- content:”User-Agent|3A|”;
- content:”Badness”; distance:0;
+ content:"User-Agent|3A|";
+ content:"Badness"; distance:0;
In this example you see the first content is longer and more varied
than the second one, so you know Suricata will use this content for
::
- content:”User-Agent|3A|”;
- content:”Badness”; distance:0; fast_pattern;
+ content:"User-Agent|3A|";
+ content:"Badness"; distance:0; fast_pattern;
The keyword fast_pattern modifies the content previous to it.
For example::
- content: “aaaaaaaaabc”; fast_pattern:8,4;
+ content: "aaaaaaaaabc"; fast_pattern:8,4;
This way, MPM uses only the last four characters.
This mode is one of main motivation behind this code. The idea is to
be able to ask to Suricata to treat different pcap files without
having to restart Suricata between the files. This provides you a huge
-gain in time as you don’t need to wait for the signature engine to
+gain in time as you don't need to wait for the signature engine to
initialize.
To use this mode, start suricata with your preferred YAML file and
sequentially processed and the generated log/alert files will be put
into the directory specified as second arguments of the pcap-file
command. You need to provide absolute path to the files and directory
-as Suricata doesn’t know from where the script has been run. If you pass
+as Suricata doesn't know from where the script has been run. If you pass
a directory instead of a file, all files in the directory will be processed. If
using ``pcap-file-continuous`` and passing in a directory, the directory will
be monitored for new files being added until you use ``pcap-interrupt`` or
projects / thirdparty / suricata.git / commitdiff
